API for config.zscaler.com?

Hello.

I’m going to open a support ticket about this too but I think the answer will be no so hopefully a product manager may pick this up.

Is there an API for config.zscaler.com? That is, something that I can interact with to obtain IP addresses/networks for CENR, PAC et al so that I can dynamically update my infrastructure?

Prior to the all new config site, I had written an internal API that our Palo Alto firewalls would query to update security policies with the latest CENR networks, PAC IPs etc. But the new config site uses Javascript and expects the client to be a web browser, so my API is broken and we’re back to tracking changes manually and updating our firewalls by hand which is far from ideal.

It would be useful if Zscaler could provide a native API that would return results in an easily parsed format such as XML or JSON.

Thoughts?

1 Like

https://api.config.zscaler.com/zscaler.net/zpa/json

3 Likes

Cheers @jsood. Appreciate the fast response.

Here is a full list of endpoints:

https://api.config.zscaler.com/zscaler.net/cenr/json
https://api.config.zscaler.com/zscaler.net/cenr/jsonip
https://api.config.zscaler.com/zscaler.net/ca/json
https://api.config.zscaler.com/zscaler.net/pac/json
https://api.config.zscaler.com/zscaler.net/zpa/json

(you can replace the <zscaler.net> with any zscaler cloud for cloud specific infomation

2 Likes

The API doesn’t seem to expose the hub networks. Is that correct?

Previously my internal API, that the Palo Alto firewalls interface with, was able to fetch different sections; CENR, PAC or hub. I’ve updated my internal API to use https://api.config.zscaler.com/zscaler.net/cenr/json for CENR and https://api.config.zscaler.com/zscaler.net/pac/json for PAC but I’m struggling to figure out how to obtain the recommended hub networks as they’re listed on Config | Zscaler (firewall config requirements).

Any ideas?

I was unable to find the hub networks as well. I agree this would be helpful to add to the API.

I resorted to a hacky solution. I found that when you view the the Firewall Config Requirements page in a web browser, it makes an AJAX call to https://api.config.zscaler.com/api/getdata/zscloud.net/all/fcr and builds the tables containing the IPs from that.

So I’m currently using that JSON data to get the required hub IPs in to my internal API. Screenshot below (because I couldn’t get this forum to format the code correctly if I tried to copy/paste it).

But if Zscaler could expose a proper API, that would be much better.

1 Like

This is great, thank you for sharing! I’m going to use this in my code as well.

I’ve put my code on GitHub in case it’s of use to anyone else. It’s targeted at Palo Alto for use in External Dynamic Lists but depending on the firewall and how it works it’s not restricted to Palo Alto. For example using this I had a script to update groups on Check Point.

As well as Zscaler, it’ll provide IPs/networks for Microsoft 365 and Polycom RealConnect. For Zscaler it covers CENR, PAC and hub and you can specify which ZSCloud.

Have Zscaler updated their config API to provide a documented/supported way to obtain hub IPs yet?